Privacy Case Plaintiff Must Prove Actual Harm

The intimate nature of testimony involved in a sexual harassment suit often leaves the plaintiff feeling vulnerable. But during the defense's deposition in a 2006 business tort countersuit against Bonnie Van Alstyne, who had sued her former boss at Electronic Scriptorium Ltd. (ESL) for sexual harassment, the invasion of her privacy reached a whole new level.

The defense counsel produced several e-mails from Van Alstyne's personal America Online (AOL) account as exhibits. She investigated how ESL obtained the messages and discovered that her former boss, Edward Leonard, had inappropriately accessed her personal AOL account on multiple occasions.

Van Alstyne filed a new claim against Leonard, later amending it to include ESL, alleging he violated the Stored Communications Act (SCA) by accessing her AOL account and reading her personal messages. Leonard testified that he broke into Van Alstyne's e-mail account after he terminated her in 2002, but only in the instances of the e-mails presented during the deposition. During discovery, Van Alstyne's counsel found copies of 258 e-mails Leonard obtained during more than 100 account log-ins.

The U.S. District Court for the Eastern District of Virginia awarded Van Alstyne $150,000 in compensatory damages and $75,000 in punitive damages from Leonard, and $25,000 each in punitive and compensatory damages from ESL, as well as attorney's fees and costs. The compensatory damages comprised statutory damages of $1,000 for each violation of the SCA.

On March 18, the 4th Circuit vacated the awards in Van Alstyne v. Electronic Scriptorium Ltd. and remanded the case to the district court, ruling that the plaintiff suffered no actual harm and therefore was not entitled to statutory damages. However, the 4th Circuit determined she needn't prove actual harm to win punitive damages. The three-judge panel asked the district court to reconsider the amount of the punitive award in light of the loss of statutory damages.

Many are cheering the decision for cracking down on statutory damage awards granted in privacy cases when the plaintiff hasn't suffered actual harm. In Van Alstyne's case, the revelation of her private e-mails proved embarrassing, but she didn't suffer any financial loss as a result, says Kirk Nahra, a Wiley Rein partner.

"There are a lot of things people do that they shouldn't that don't violate laws," he says. "I could be rude to you, and I shouldn't do that, but I didn't violate a law."

Questionable Damage

Actual harm is a common question in determining awards in privacy cases, especially in class action suits alleging a data breach or other failure to protect sensitive information where no one is actually injured.

Nahra points to a series of class action lawsuits filed against companies after Congress passed the Fair and Accurate Credit Transactions Act (FACTA), which prohibited businesses from printing full credit card numbers and expiration dates on receipts. Many businesses understood they had to truncate the credit card number but did not realize they had to remove the expiration date. "Nobody got harmed for a dime," Nahra says. "You want people to follow the law, but there are ways of making them do that without saying, 'You made a mistake, and it's going to bankrupt your company forever.'" Congress stepped in and amended the law to prevent more class action suits from going forward.

Nicholas Hantzes, the managing partner at Hantzes & Associates, who represents ESL, says he thought from the time he prepared the appellate brief the company would not be liable for statutory damage. "We were convinced that was right," he says. "[Van Alstyne] had to put on evidence of actual damages to recover statutory damages."

Though he did not give an exact figure, he says ESL offered to settle for more than $100,000, which would have been larger than the punitive damages award. Troutman Sanders Partner Christopher Abel, who represents Van Alstyne, says the original complaint pleaded actual damages, but Van Alstyne amended the complaint because that argument would have required further invasion of her privacy.

While the plaintiff is considering amending the complaint again to re-enter actual damages, ESL and Leonard have both filed for bankruptcy, so regardless the amount of the new award, Abel says it could be difficult to collect.

Floodgates Opened

Albert Gidari, a partner at Perkins Coie, says this case opens the floodgates for privacy cases to go beyond a motion to dismiss or summary judgment.

"Now all plaintiffs will have to do is allege the conduct was willful or intentional, that the company knew or should have known what they were doing was an improper act," he says. "You'll never be able to dismiss a case at an early stage." This is particularly true for class action suits over data breaches, he says. Even if a company released information inadvertently, its failure to do everything possible to protect information can still show willful misconduct.

"All of the incentives are going to be to settle these cases quickly rather than incur legal fees," Gidari says. And he says that plaintiffs lawyers will continue to fight for statutory damages, regardless of actual harm. "I don't think it's the final nail in the coffin [on these cases]," he says.

Abel says punitive damages could become a more attractive option in other cases that don't award statutory damages. "I'm not convinced that, at the end of the day, the defendants will come out any better than they did before," he says.